Ubuntu
rhythmbox package

audioscrobbler password saved as plaintext in gconf

Bug #42686 reported by Kevin J Brown on 2006-05-03

312

This bug affects 9 people

Affects		Status	Importance	Assigned to	Milestone
	Rhythmbox	Expired	Low	gnome-bugs #349132
	rhythmbox (Ubuntu)	Fix Released	Medium	Ubuntu Desktop Bugs

Bug Description

When saving a password for audioscrobbler, it is saved in .gconf unencoded. It appears in

/home/kevinly/.gconf/apps/rhythmbox/audioscrobbler/%gconf.xml

I realize that you should use different password for different websites, but some may inadvertantly set the user's (and thus su) password for their audioscrobbler password.

A better option would be to store the md5 of the password instead since that is all last.fm requires for authorization. An optimal solution may be to use gnome-keyring instead of gconf.

See original description

Tags:

Revision history for this message

Kees Cook (kees) wrote on 2007-03-02:

Agreed, rhythmbox should use the gnome keyring to store passwords.

Revision history for this message

Sebastien Bacher (seb128) wrote on 2007-03-04:

Thank you for your bug. That's known upstream: http://bugzilla.gnome.org/show_bug.cgi?id=349132

Changed in rhythmbox:
assignee:	nobody → desktop-bugs
status:	Unconfirmed → Confirmed

Bug Watch Updater (bug-watch-updater) on 2007-03-05

Changed in rhythmbox:
status:	Unknown → Unconfirmed

Revision history for this message

Jonas Finnemann Jensen (jopsen) wrote on 2007-12-26:

You technically only need to store md5sum of the password, since that's all that's needed to perform a handshake with last.fm servers...
That md5 sum still ought to be stored in gnome keyring, since it could be used by anyone to scrobble/listen to users account... However md5 sum cannot be used to login to the last.fm website...

Revision history for this message

Michael Rooney (mrooney) wrote on 2008-04-09:

Okay, after reading the upstream bug, the idea of using the md5 is being criticized because you can still log into the site. First, Jonas claims this isn't even true. Second, as others have mentioned, people might be using the same password for another site and as such compromising this password could be a serious issue.

I would recommend applying the patch provided upstream (against 11.2, I would guess it would apply to 11.5 with proper offsets) to store the md5 instead of the password. This would at least reduce the issue. Then it should also be stored in gnome-keyring but the issue wouldn't be as immediate IMO.

Can anyone attempt to apply the patch and give us access to a test package via PPA?

Revision history for this message

Michael Rooney (mrooney) wrote on 2008-04-09:

Actually, this would be a good project for me, in order to learn how to do these sorts of things, so I will attempt to get a package up with the md5 patch in the next day or two.

Revision history for this message

Daniel T Chen (crimsun) wrote on 2008-09-11:

@Mike any movement on the patch?

Revision history for this message

Michael Rooney (mrooney) wrote on 2008-09-28: Re: [Bug 42686] Re: audioscrobbler password saved configuration file

On Thu, Sep 11, 2008 at 1:49 AM, Daniel T Chen <email address hidden> wrote:
> @Mike any movement on the patch?

Thanks for the reminder Daniel, I'll take another look at it for Intrepid.

Revision history for this message

Michael Rooney (mrooney) wrote on 2008-09-29: Re: audioscrobbler password saved configuration file

Five chunks of the patch failed (it looks like there has been some rework/updating in the plugin since this patch was made), so I had to do some of it by hand, making a guess or two at behavior. I am going to try compiling the new plugin and seeing if it works, and/or submitting it upstream for a review.

Changed in rhythmbox:
assignee:	desktop-bugs → michael
status:	Confirmed → In Progress

Revision history for this message

Michael Rooney (mrooney) wrote on 2008-09-29:

rhythmbox-md5passwd-2.patch Edit (9.3 KiB, text/plain)

Alright, here is the patch I came up with (also sent upstream). It seems to work in that new passwords are stored as md5 and existing plaintext ones are converted, and tracks are successfully sent to last.fm.

Daniel, you seem to have some experience in this area, any hints for a first time contributor? Should I attempt to get a PPA up to ease testing? Or what is the next step?

Changed in rhythmbox:
status:	In Progress → Confirmed
description:	updated

Michael Rooney (mrooney) on 2008-09-29

Changed in rhythmbox:
assignee:	michael → nobody

Pedro Villavicencio (pedro) on 2008-10-03

Changed in rhythmbox:
assignee:	nobody → desktop-bugs
status:	Confirmed → Triaged

Revision history for this message

Julien Lavergne (gilir) wrote on 2008-10-09:

#10

Hi Mike,

If you want more testing, I uploaded a version in my PPA : https://launchpad.net/~gilir/+archive
For me, seems to work just fine :)

Revision history for this message

Nigel Babu (nigelbabu) wrote on 2010-02-15:

#11

This bug seems to be fixed in Karmic. Closing the report.

Changed in rhythmbox (Ubuntu):
status:	Triaged → Fix Released

Revision history for this message

Nigel Babu (nigelbabu) wrote on 2010-02-27:

#12

Applogies. Upstream comment indicates that this is not yet fixed, but will be fixed to using gnome keyring.

Changed in rhythmbox (Ubuntu):
status:	Fix Released → Confirmed

Sebastien Bacher (seb128) on 2010-03-01

Changed in rhythmbox (Ubuntu):
status:	Confirmed → Triaged

David Futcher (bobbo) on 2010-06-07

tags:

added: patch-forwarded-upstream

Bug Watch Updater (bug-watch-updater) on 2010-09-16

Changed in rhythmbox:
importance:	Unknown → Low

Bug Watch Updater (bug-watch-updater) on 2011-10-18

Changed in rhythmbox:
status:	New → Expired

Revision history for this message

Stijn Brouwers (stijnbrouwers) wrote on 2012-11-21:

#13

I just checked, apparantly the bug has been fixed upstream about a year ago...
I tested it locally and I can't seem to find the password stored locally anywhere.